Guidance for Organisations on Phishing and Social Engineering Attacks
One of the main obligations under the General Data Protection Regulation (GDPR) for
organizations which process personal data (‘controllers’), is that they must do so in a
manner that ensures appropriate security of personal data, including protection
against unauthorized or unlawful processing (including theft, destruction or damage, or
disclosure) using ‘appropriate technical or organizational measures’. This is sometimes
referred to as the principle of ‘integrity and confidentiality’ or the ‘security principle’.
This obligation is an important one, which controllers should be cognisant of, particularly
those who utilize or store sensitive personal data. Whether or not an organization has
appropriate technical and organizational measures in place to ensure the security of the
personal data they process is one of the first questions the Data Protection Commission
(DPC) is likely to ask in the event of a personal data breach or the exercise of the DPC’s
investigative powers. Controllers can also consult our guidance for controllers on data
security when assessing the appropriate security measures they need to implement.
One way in which the risks regarding security of personal data can arise is through what
is known as ‘phishing’ or ‘social engineering’ attacks. Phishing is an example of a type of
social engineering which is commonly used to deceive users. Phishing is where someone
fraudulently attempt to trick users into disclosing sensitive information, such as
usernames, passwords, or credit card details, by disguising themselves as a trusted
source in an electronic communication. By using a trusted source, or name, or familiar
logo as ‘bait’, attackers can go ‘fishing’ for sensitive information, such as personal data.
This can be done in many ways, such as ‘email spoofing’ (where cloned or similar looking
email addresses or names are used) and misdirecting users to enter sensitive information
into a fake website (which looks very much like the legitimate one), or download harmless
looking but malicious software (often disguised as email attachments).
Download The Full Guidance for Organisations on Phishing and Social Engineering Attacks